Do you have staff working from home? Is this going to be part of your long-term strategy? With the pandemic still around and office parking as expensive as it is, the answer to that question is most likely “yes”.
Why compromise the safety of your enterprise when you can operate equally well or potentially better with your staff working from the safety and comfort of their homes. But, for all the security it offers employees, did you know that the WFH model can put your data at risk? Often overlooked risks include accessing company information from insecure devices, over unmanaged networks, and potentially within view of other people not employed by your organization (think roommates, spouses, children, etc.).
When you have your employees work remotely, inadvertently, your data could be more vulnerable to cybercrime if appropriate training and protective measures aren’t put in place. This blog discusses five strategies you should revisit to ensure the WFH environment is safe—for both your employees and your data.
#1 Company-owned and managed devices
When millions of people shifted to remote work in March of 2020, there was a rush to get them functional as soon as possible. This migration often meant that employees used their personal computers at home to log in and do their work. And while this was convenient in the short term, it does create risk as a long-term solution because the company can no longer enforce their standards, management, and protections to those devices. They are, after all, the property of the employee. Generally speaking, any information stored on those personal computers is in a legal “grey area”. Anyone who’s had a staff member quit on bad terms will know the pain of realizing their proprietary information is no longer under their control.
To minimize this risk, your organization should establish a standard for how your employees are permitted to access, store, and manipulate information (and from which devices.) If you plan on allowing Work From Home as a long-term strategy, we recommend assigning each employee a company-owned and managed device. They should be aware that this device is to be used for work purposes only and that your management, security, and other administrative tools are installed to benefit the company and its ongoing data security.
#2 Consistently deployed Commercial grade Anti-malware tools
Any discussion about data security starts with anti-malware applications. These applications are a key element that helps keep your computers safe from viruses, ransomware, adware, and other forms of malware.
We’ve noted explicitly that this should be a “commercial grade” solution – meaning that you have central management, monitoring, and reporting console that allows you to check the health, patch status, and any detections across all of your company devices. You cannot leave this protection up to the individual users to manage because they will often disable and lower protections to avoid interruptions—this could lead to infections on those devices. A commercial-grade solution will not allow your staff to ignore an event and will manage the protections based on the settings and policies you’ve configured.
We’ve moved past using traditional antivirus-only applications to software packages that include Machine Learning and Behaviour Analysis to detect threats and stop them before they can cause too much damage to your network. Tier 3 IT Solutions are experts in deploying these Antivirus and Anti-Ransomware solutions and would be happy to help you assess your needs and choose the right product.
#3 Multi-Factor Authentication
It’s well-known that most people have poor “password hygiene”, meaning that they use simple passwords, re-use them across different sites and software applications, and share them with their coworkers when asked. When data breaches happen, it’s usually because a password has been compromised through a phishing attack or another data exfiltration event. With that in mind, it is critical that we move beyond passwords as a means of securing our data.
Instead of using a single password for data access, multi-factor authentication adds additional layers of security for devices. Multi-factor authentication works by confirming the identity of the accessing user across three areas.
a) What they know: Examples include asking for User IDs, passwords, answers to ‘secret questions’, verification of their date of birth, etc.
b) What they have: This includes physical tokens, access cards, OTPs sent via text or email, etc.
c) Who they are: This authentication mechanism includes biometric authentication such as retina scan, fingerprint, or voice recognition.
Setting up Multi-Factor Authentication can be time-consuming because it has to be done individually for each site or service. We recommend that every time you log into a webpage, check the security settings to see if Multifactor is an option. If it is, turn it on, it will help ensure only you can log into those sensitive sites.
#4 The Cloud
Using a Cloud Service like Microsoft OneDrive for Business to store and share your files presents many advantages in the WFH environment. It saves time and effort as files don’t have to be e-mailed back and forth or transported via USBs, it eliminates version control challenges, and also ensures timely access to data. But did you know that you can leverage the Cloud to thwart security threats presented by the WFH scenario?
OneDrive for Business lets your employees work safely from anywhere and offers more safety than local data storage mechanisms. Any data in the Cloud is encrypted, which means it is not as easy for cybercriminals to access confidential information as it might be when someone hacks a PC. If you’ve configured your Multi-Factor Authentication and put in place data access restrictions, you can be confident that only your staff have access to the files.
Additionally, by storing your data in the Cloud and running regular backups, you can be confident that the risk of total loss is relatively low compared to traditional methods and technologies. Another great benefit of this service is that an employee can get set up to access the information on a new computer relatively quickly, regardless of their location in the world.
#5 Cyber Security Awareness Training
Lack of Cyber Security knowledge is one of the primary reasons companies and individuals become victims of cybercrime. All it takes is one wrong click to open the floodgates, and the only way to stop that from happening is to train your employees on cybersecurity best practices.
Training will provide them with a clear set of do’s and don’ts and help them identify situations where they may become a possible target. Training on cybersecurity best practices can cover a wide range of topics, but here are an essential few:
• Password hygiene across multiple sites
• What does a good password look like?
• Why is password sharing improper?
• How to identify phishing attempts?
• Why is it important to install software updates and patches on a timely basis
• Data storage best practices
• The risks associated with public WiFi such as those at malls, coffee shops, or airports
You can also conduct mock drills and check who grasped these concepts right and who needs further training. An example may be emailing staff from an external account, posing as a manager or supervisor.
WFH opens up whole new horizons in terms of flexibility, productivity, and cost savings. But, it also opens your business up to cybercriminals, as you can’t have a hands-on approach to cybersecurity, especially if your employees are using their own devices for work. An experienced I.T. Provider, like Tier 3 IT Solutions, can help you overcome the cybersecurity challenges presented by the WFH scenario.
We put your mind at ease by taking care of everything–from anti-malware solutions to employee training and beyond. To learn more about our services, explore our website or contact us for more information!